Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA

Focus on HIPAA Compliance: New Marketing Requirements

On January 25, 2013, the Department of Health and Human Services (HHS) posted Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (the Final Rule). Audiologists and audiology practices will have until September 23, 2013 to come into compliance. Audiology practices will need to review closely any marketing practices involving payment from a third party, such as a hearing aid manufacturer, specifically to market the hearing aid manufacturer’s products or services to patients of the audiology practice.

As applied to an audiology practice, “marketing” would occur if the practice (or any individual audiologist) receives a financial benefit for the sale of a patient contact list to a hearing aid manufacturer for the purpose of marketing that manufacturer’s products to the practice’s patients. In this example, a signed authorization by each patient on the contact list would be required under the Final Rule to indicate the patient has agreed to have their information shared by the practice. It is important to remember that, in the absence of a financial exchange between the audiology practice and manufacturer, patient authorization is not required when the practice makes treatment or operational communications to patients via regular mail, electronic mail or through other methods of communication.

Under the Final Rule, refill reminders or communications about a drug or biologic agent currently being prescribed to the patient are exempt from this authorization requirement. HHS clarified that “adherence communications encouraging individuals to take their prescribed medications as directed fall within the scope of the exception.” However, the exemption also requires that any payment made for sending the communication must be “reasonably related” to the cost of making the communication, i.e., not greater than costs associated with drafting, printing and mailing the communications. It is the Academy’s understanding, after speaking representatives from the Department of Health and Human Services Office for Civil Rights, that patient mailings regarding routine check-ups for treatment purposes would not require an authorization. However, the Academy urges members to proceed with caution given the untested nature of the rule and because the scope of the marketing section has not been fully clarified. One way members may comply with the new HIPAA marketing requirements would be to update your Notice of Privacy Practices to seek authorization for marketing communications from all patients effective September 23, 2013.

Health Insurance Portability and Accountability Act (HIPAA) HIPAA The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 as Public Law 104-191 to improve portability and continuity of health insurance coverage, to combat waste, fraud and abuse in health insurance and health care delivery, and to simplify the administration of health insurance. In addition, there are provisions to protect and secure electronic transmissions of Protected Health Information (PHI).

The U.S. Department of Health and Human Services offers a summary of the HIPAA Privacy Rule here[4].

Protected Health Information

The Privacy Rule protects all PHI or, "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

the individual’s past, present or future physical or mental health or condition,

the provision of health care to the individual, or

the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number)

2010 HIPAA Updates-NEW!

Electronic Health Records

The American Recovery for Reinvestment Act of 2009 (ARRA, also known as the “Stimulus Bill”) included several HIPAA updates within the legislation. One of these updates includes imposed civil penalties collected by the Office of Civil Rights (OCR) for privacy or security violations that will be used to fund greater enforcement efforts. A second update was the promotion of Electronic Health Records (EHR) through incentive payments to health-care providers and disincentives (reductions in payment) for practices that have not converted to EHR by 2015. The incentives for compliance begin in 2011.

Your office may need to have additional Business Agreements (BA) due to HIPAA’s expanded requirements

The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of ARRA, also addresses the expansion of HIPAA’s coverage, enforcement requirements and penalties. While current HIPAA law applies to “covered entities” (i.e. health-care providers, health-care clearinghouses and health plans), those entities which also use PHI such as billing and information technology companies are now considered Business Associates (BA), and must also comply with HIPAA requirements, effective February 22, 2010. A BA is required for routine access to PHI as well as with those who contract with covered entities.

As part of the HITECH Act, certain provisions of the HIPAA privacy and security will also directly apply to business associates. BAs will need to implement their own technical, administrative and physical safeguards in order to be HIPAA compliant or be subject to civil and criminal penalties with HIPAA violations. (Barnes & Thornburg LLP 2009).

Data breach requirements

Another requirement of the HITECH Act is the notification of “unsecured PHI” when there is a data breach. A breach is defined as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted [by the HIPAA Privacy Rules] which compromises the security or privacy of the protected health information. (Barnes & Thornburg LLP 2009). “Unsecured PHI” is considered information that is not secured by technology specified by the Secretary of Health and Human Services.

If a breach is discovered, a risk assessment will need to be conducted and will ascertain if a significant risk of harm due to the disclosure of PHI has occurred. If it is determined a breach of unsecured PHI has occurred, the covered entity must take the required steps to protect individuals from harm and notify each individual affected without reasonable delay, no later than 60 calendar days following the date of discovery. (Barnes & Thornburg LLP 2009). The breach must be investigated and actions instituted to mitigate the harm to those affected and to protect against further breaches. If a breach affects fewer than 10 individuals, the covered entity may offer written notice via e-mail, telephone, or other methods (Barnes & Thornburg LLP 2009).

If a breach affects more than 500 residents of a state or jurisdiction, a covered entity is required to provide notice to a prominent media outlet as well as notify the individuals involved. A jurisdiction is a geographic area that is smaller than a state. (Barnes & Thornburg 2009). The type of media outlet to be implemented is defined by the number of affected individuals. When 500 or more individuals have had exposure due to a breach, the Department of Health and Human Services must be notified immediately or no later than 60 calendar days following the date of discovery.

If a BA is the one to uncover a breach, the BA must notify the covered entity, which then notifies those individuals affected by the breach.